The ^ regex metacharacter does not work to match the beginning of the subject line in DLP Endpoint Email detection when using a regex condition/exception
search cancel

The ^ regex metacharacter does not work to match the beginning of the subject line in DLP Endpoint Email detection when using a regex condition/exception

book

Article ID: 407610

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Data Loss Prevention Sensitive Image Recognition Data Loss Prevention Plus Suite Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

When trying to craft a DLP policy with a regex condition/exception with the ^ metacharacter to match a specific string that occurs at the beginning of the email subject, it will not match.

Environment

DLP 16.0+

Cause

For DLP Endpoint, the email subject is not treated as a separate message component but instead maps to the email envelope(header).

Refer to Detection Messages and Message Components

"The Endpoint does not have a subject component, so the subject component is mapped to the envelope."

As such when trying to use the ^ regex metacharacter in a DLP condition to match characters at the start of the email subject, it will not match. This is because the subject does not occur at the beginning of the header.

This does not occur for email detection using Network Prevent for Email or Network Monitor detection servers as for server detection, the email subject component maps specifically to the email subject.

Refer to Selecting components to match on

Certain detection conditions match on the component for some types of messages. The subject is mapped on the header for the endpoint agent.
For the detection conditions that support subject component matching, you can match on the Subject for the following types of messages:
    • SMTP (email) messages from Network Monitor or Network Prevent for Email.
    • NNTP messages from Network Monitor.
To match on the Subject component, you must select (check) the Subject component and uncheck (deselect) the Envelope component for the policy rule. If you select both components, the system matches the subject twice because the message subject is included in the envelope as part of the header.

    Resolution

    If trying to match on the beginning of the email subject line don't use the ^ regex metacharacter. Instead you could try to match on something like the following as an example if looking for the word "secure" at the start of the email subject:

    (?i)(subject:\s)(secure)

    Powered by Wolken Software